Adding Pentest Sauce to your Vulnerability Management Recipe

Posted on August 6th, 2017

One question we get after performing a penetration test is “Why didn’t I see some of these vulnerabilities during our monthly vulnerability scans?” The truth of the matter is many flaws that both attackers and pentesters exploit do not typically show up in a Nessus, Nexpose, or [insert-vuln-scanner-name-here] scan. Most senior penetration testers and attackers will seldom leverage a vulnerability scanning tool as it’s very noisy on a network and can get you detected/removed/bandwidth issues/etc.

Some pentesting techniques require manual testing and a creative attacker mindset. With that said, there are several things pentesters do regularly that could be adopted into a vulnerability management program.

Goal: Show how vulnerability analysts can go beyond running an authenticated vulnerability scan.

Reconnaissance is King: The most important step associated with hacking, and pentesting is reconnaissance. Many of the tools mentioned above are focused around reconnaissance vs. exploitation and could be considered for a vulnerability management program.

2)Find the tech stack: Identify the technology and its versioning to check for default credentials, default content, version specific vulnerabilities and misconfigurations:

Many vulnerability scanner tools attempt to identify all these items, but can fall short especially with web technologies.

We can’t tell you how many times we have compromised a system simply by figuring out the technology in use and checking Exploit-DB/Google.

Many technologies are configured with weak authentication mechanisms in place or No Auth! (SCADA, Printers, Network Cameras, etc.)

Be able to speak to the impact beyond the “Purple or Red”. Organizations get numb to the thousand-page vulnerability scan reports loaded in “CRITICAL OMFG” findings. If you can help bubble the real issues to the top of the pile it can go a long way with remediation.

Users tend to commonly think, “It will never happen to me…” until it does.

Checkout free tools such as GoPhish, Lucy, Phishing Frenzy, etc.

All of these techniques are obviously great for security in a perfect world. In reality there are only so many hours in the day and security analysts can get spread thin. If this is the case focus on understanding your external footprint first and then consider implementing the other tips as resources allow.